Cybersecurity researchers have found an up to date model of an Android malware known as TgToxic (aka ToxicPanda), indicating that the risk actors behind it are constantly making adjustments in response to public reporting.
“The modifications seen within the TgToxic payloads replicate the actors’ ongoing surveillance of open supply intelligence and reveal their dedication to enhancing the malware’s capabilities to enhance safety measures and maintain researchers at bay,” Intel 471 said in a report printed this week.
TgToxic was first documented by Development Micro in early 2023, describing it as a banking trojan able to stealing credentials and funds from crypto wallets in addition to financial institution and finance apps. It has been detected within the wild since no less than July 2022, primarily specializing in cellular customers in Taiwan, Thailand, and Indonesia.
Then in November 2024, Italian on-line fraud prevention agency Cleafy detailed an up to date variant with wide-ranging data-gathering options, whereas additionally increasing its operational scope to incorporate Italy, Portugal, Hong Kong, Spain, and Peru. The malware is assessed to be the work of a Chinese language-speaking risk actor.
Intel 471’s newest evaluation has discovered that the malware is distributed by way of dropper APK information possible by way of SMS messages or phishing web sites. Nonetheless, the precise supply mechanism stays unknown.
A number of the notable enhancements embrace improved emulator detection capabilities and updates to the command-and-control (C2) URL era mechanism, underscoring ongoing efforts to sidestep evaluation efforts.
“The malware conducts a radical analysis of the system’s {hardware} and system capabilities to detect emulation,” Intel 471 mentioned. “The malware examines a set of system properties together with model, mannequin, producer and fingerprint values to determine discrepancies which are typical of emulated techniques.”
One other important change is the shift from hard-coded C2 domains embedded inside the malware’s configuration to utilizing boards such because the Atlassian neighborhood developer discussion board to create bogus profiles that embrace an encrypted string pointing to the precise C2 server.
The TgToxic APK is designed to randomly choose one of many neighborhood discussion board URLs offered within the configuration, which serves as a dead drop resolver for the C2 area.
The method gives a number of benefits, foremost being that it makes it simpler for risk actors to vary C2 servers by merely updating the neighborhood consumer profile to level to the brand new C2 area with out having to concern any updates to the malware itself.
“This technique significantly extends the operational lifespan of malware samples, preserving them purposeful so long as the consumer profiles on these boards stay lively,” Intel 471 mentioned.
Subsequent iterations of TgToxic found in December 2024 go a step additional, counting on a website era algorithm (DGA) to create new domains to be used as C2 servers. This makes the malware extra resilient to disruption efforts because the DGA can be utilized to create a number of domains, permitting the attackers to change to a brand new area even when some are taken down.
“TgToxic stands out as a extremely subtle Android banking trojan on account of its superior anti-analysis methods, together with obfuscation, payload encryption, and anti-emulation mechanisms that evade detection by safety instruments,” Approov CEO Ted Miracco mentioned in a press release.
“Its use of dynamic command-and-control (C2) methods, similar to area era algorithms (DGA), and its automation capabilities allow it to hijack consumer interfaces, steal credentials, and carry out unauthorized transactions with stealth and resilience towards countermeasures.”
